25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00

General

Target

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Size

903KB
MD5

2ec00be64e179c3de3a63ed4d19d2b02
SHA1

563db59de0196434cea3ad0b9fa6c63c471bc5f3
SHA256

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00
SHA512

17f5672b53b21bb7946772999be18f4c16ac84762e061a5f495de8383b67aeb61f114b17033db5da18c59759189eaf968b7a58805f79165fdcc45486a7f39825
SSDEEP

12288:1TUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBh:dqI4MROxnFMLqrZlI0AilFEvxHiOB

Score

1^/10

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

2728 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

2728 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
2728	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
2728	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.execsc.exe

description	pid	process	target process
PID 2728 wrote to memory of 2828	2728	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 2728 wrote to memory of 2828	2728	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 2728 wrote to memory of 2828	2728	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 2828 wrote to memory of 2884	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2884	2828	csc.exe	cvtres.exe
PID 2828 wrote to memory of 2884	2828	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
"C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atd_ojsv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6681.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6680.tmp"
    3⤵
    PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6681.tmp

Filesize
1KB

MD5
6a82ee2848548da77f435f52ea551059

SHA1
5c785f96af61884611b7259439fc3f5d402b6c80

SHA256
46d5b9f1816e3510bf67ebed401cd9094f60fbc6a193ce0d0218a7ced37932b8

SHA512
cfc3ece79dceaaf9d8d41eb9ff8e162d36cd73a1dcd9f24f31aa423ee84cedc0f8aacbab26b071a1479e22fdcd71a9065d23c9d0c0bd126899222c4deac1cec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\atd_ojsv.dll

Filesize
76KB

MD5
27a9e4727c3fcdd3aaca3d05fc968fc3

SHA1
624a2604f8cd3edf7763cd706e015d6a37efcb72

SHA256
66e86aee29b54d8ec5523105a3b0b0424d9901b344ac6d102a51b076f94c4396

SHA512
4ae95f79fbb0126580f0ebdc0403780fb3911973ef4657f5d57e49e3d7482f24c5c81626c96cc9fa379cd00f071244b4cc852fe0e3eab0bf6d0924627391bd7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6680.tmp

Filesize
676B

MD5
be3d3b53b16d2f5a5fd0f0ba1e3fcb62

SHA1
c1b3b2c45cfc31ca5ee39f9740ec760b2e983ad7

SHA256
225e963a0f962cf7333be27bd8d8fcd00460b213e58d53b2c082e063c5101a7d

SHA512
9b353ebd22e5d4905244cf518c64ecabcf428aa1edbc0c91f7da4e3284490fb69a38430297ea7c123956b4e18dbc29787748c0a971c910d70b2929fcb0d39f84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atd_ojsv.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atd_ojsv.cmdline

Filesize
349B

MD5
db81804462fa3888fddaf14770b62f8c

SHA1
f80119fea9c5440265f516d92bef2cc103bc88b7

SHA256
54ca08a98111566d481e34f0c02bdd62a93040b36d7656442a64f68bd6632cb6

SHA512
23200bd91331812574d582083ed7c14e22388ba1a36a45b8f46e1113a6be320b65d7de58ec557eeeeed53a0df4455bf2cc5e4c7aca625f1a679abb682e144668

Download Submit
memory/2728-4-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-0-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2728-2-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-1-0x0000000000C20000-0x0000000000C7C000-memory.dmp

Filesize
368KB

Download
memory/2728-18-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/2728-20-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2728-21-0x0000000000740000-0x0000000000758000-memory.dmp

Filesize
96KB

Download
memory/2728-22-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2728-23-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-24-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

Filesize
4KB

Download
memory/2828-16-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download
memory/2828-25-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads